AI Data & Privacy
Mitzu Agent is designed so you can put AI to work on your product data without handing that data over. This page explains what the agent sends to the underlying language model, what it never sends, and the controls you have over AI features and the data they generate.
At a glance
| Guarantee | What it means |
|---|---|
| Metadata isolation | Only aggregated query results and catalog metadata reach the model — never raw, event-by-event data. |
| No model training | Your data is never used to train or fine-tune language models. |
| Per-workspace controls | AI features are governed by per-project settings and can be disabled entirely for a workspace on request. |
| Configurable retention | AI conversation logs are stored in your Mitzu workspace and can be deleted on request. |
| Bring your own model | Optionally run the agent against your own model-provider account, arranged via support. |
The foundation
Mitzu Agent — the in-app analytics agent, the configuration agent, Scheduled Agents, the Slack Agent, and the MCP Server — runs on Anthropic's Claude models (Sonnet and Haiku) through the Claude Agent SDK. Anthropic is the only language-model provider Mitzu uses for these features.
Every agent runs against your own warehouse data, scoped to the workspace and to the permissions of the authenticated user who started the run. The agent queries your warehouse the same way the Mitzu app does, then reasons over the results.
Metadata isolation
The agent works with aggregated query results and catalog metadata, not raw event streams.
- Aggregated results only. When the agent runs a segmentation, funnel, retention, or journey analysis, it receives the same aggregated figures you would see on a chart — distinct breakdown values with their counts — not a per-event log. Results are truncated before they enter the model's context, so large result sets are capped rather than streamed in full.
- Large results stay out of context. Any oversized tool result is written to a server-side artifact instead of being passed to the model. The agent then pages, filters, and sorts that artifact through dedicated tools — the raw rows never all land in the prompt.
- Metadata, not data, for context. When you ask the agent to explain a chart, it receives the chart's specification (its title, metric, and configuration) plus a small preview — not the underlying dataset.
- Raw events stay in your warehouse. The agent cannot export or stream event-by-event logs. If you ask for raw per-event rows, it will tell you that isn't available and point you back to your warehouse.
The agent acts on behalf of the signed-in user and respects that user's role and permissions. Values that are modeled in your data catalog — including user attributes — can appear in an aggregated result if a member with access asks for them, exactly as they would in the Mitzu app. The isolation guarantee is about raw event data: that never leaves your warehouse for the model.
No model training
Under Mitzu's commercial agreement with Anthropic, data sent to the model is never used to train or fine-tune it. Prompts and results are processed to answer your question and are not retained by the provider to improve its models.
Using your own model provider
Mitzu Cloud runs every agent on Anthropic's Claude models through a single, Mitzu-managed provider credential — there are no keys for you to configure. If you would rather the agent run against your own model-provider account, using an API key you control, that can be arranged for your workspace. Contact support to set it up.
Access control and authentication
- The MCP Server authenticates with OAuth 2.0 (WorkOS). Clients complete a browser login on first connect and receive a short-lived, automatically rotating access token — there is no long-lived key to copy or store. See the MCP Server page for details.
- Per-tool scopes and permissions. MCP tools are gated by OAuth scopes (
mitzu:workspace:read,mitzu:data:query,mitzu:workspace:manage) and by the caller's Mitzu role. A client granted read-only scopes cannot invoke write tools. - Role-gated configuration. The configuration agent only exposes tools that change your workspace — adding tables, editing mappings, triggering indexing — to members with the Manage workspace permission. Everyone else gets a read-only agent.
Controlling AI features
You control where and how the agent runs:
- Model selection — choose the model (Auto, Sonnet, or Haiku) per project in Workspace settings → AI.
- Web search — off by default. The agent only performs web searches if you explicitly enable it for a project.
- Custom instructions — add per-project guidance that is prepended to every run.
- Usage quotas — each organization has a monthly AI query quota. Once it is exhausted, new runs are refused until the quota resets.
- Kill-switch — AI features can be disabled entirely for a workspace. Contact support to turn the agent off for your tenant.
Data storage and retention
Mitzu Cloud runs on Amazon Web Services (AWS). This section describes what the agent stores, where, and for how long. Self-hosted and private-cloud deployments keep all of this data in your own infrastructure instead.
What is stored
When you use the agent, Mitzu records the conversation so you can revisit it from the All Content page. A stored conversation includes:
- the prompt text you sent and the context of the page you started from;
- the agent's responses, reasoning steps, and the tools it called with their inputs;
- any charts the agent produced — the rendered image and the aggregated result data behind them;
- the model used and timestamps;
- a reference to the originating Slack thread, for Slack conversations;
- any feedback you leave on a response.
Where it is stored
- Conversations are stored in Mitzu's primary database, an encrypted PostgreSQL instance on AWS RDS.
- Agent session state — used to resume a conversation where you left off — is stored on an encrypted AWS EFS volume.
- Working artifacts — the large intermediate result sets the agent pages through during a single run — are held only in ephemeral, container-local storage. They are never written to durable object storage, and are discarded when the run's compute is recycled.
- Provider credentials live in AWS Secrets Manager, never in application tables.
Consistent with metadata isolation, raw event data is not copied out of your warehouse into any of these stores — only aggregated results and metadata are.
Retention
Conversation logs are retained for as long as their workspace and project exist, so your history stays available. They are permanently deleted when the associated project or workspace is deleted, at which point the records are removed from the database. Encrypted database backups are retained for 14 days before they are purged.
If you need conversation logs deleted sooner — or want a specific retention window applied to your workspace — contact support, and we will remove them or configure a policy for you.
Questions
For security reviews, data processing agreements, or questions not covered here, reach out to support@mitzu.io.